I am using a CW305 board and want to glitch precise clock cycles to perform Piret attacks. Is there a way that I can do this easily? I have the glitches working through the GUI, but they seem to all huddle around one area in the middle of AES, and I don’t have a great idea what the offsets and widths are really representing.

The glitch module has some clock input (either the external clock from the target or the internal CLKGEN signal in the ChipWhisperer)

The glitch module turns this clock signal into a short pulse. The pulse starts (Offset %) of a period after the clock’s rising edge and lasts for (Width %) of the clock period. For example, an offset of 20% and a width of 30% would create a pulse that’s 3/10 of a clock cycle long, ending at the falling edge.

When the glitch module receives a trigger signal, it delays for (Ext Trigger Offset) clock cycles, then it combines the input clock and the pulse for (Repeat) cycles. Usually, the output is the input clock XORed with the pulse, but you can create other outputs (like pulse only).

This modified clock signal can be used as a clock output or a VCC crowbar signal (for clock or voltage glitching).

You should be able to get your attack to work by selecting a good trigger offset and sweeping different widths/offsets. However, these things can be very finicky (especially on an FPGA target, where many operations are done in parallel).

Hopefully that’s enough to get you started without overloading you with info. We do have a few more ways to fine-tune glitches if you’re having no luck - let me know how it goes.

Thanks for the response!
Do you know how many clock cycles it takes for the ChipWhisperer to complete an AES run? I need to pinpoint where the last MixColumn operation happens and glitch a specific byte of data. I kind of need to calculate this ahead of time because scanning over several ranges won’t tell me if I glitched the correct thing.

I don’t know exactly where the MixColumns operation happens. One thing that you could do to make this easier is to modify the AES source code so that the trigger happens in a different spot. If you set the trigger high right before MixColumns starts you should have a really good idea of where to sweep.

I was able to get glitch to work with SAD match producing a 10-20ns pulse followed by oscillating pulses. The first pulse is ~7v followed by diminishing pulse down to 1v before converging down to 0v after total of 10 pulses.

I have a need to convert these short pulses into one large 50us+ pulses.